The grand "finale" of China's Encryption Law - November 2019 - HL Chronicle of ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
The grand “finale” of China’s Encryption Law November 2019
The grand “finale” of China’s Encryption Law November 2019 1
The grand “finale” of China’s Encryption Law
Introduction and overview rules on the regulation of the three types of
encryption products, namely:
After a wait of more than two years since the
first draft, the long-awaited People’s Republic of core encryption products, technologies and
China Encryption Law (the “Encryption services ("Core Encryption");
Law”) was finally promulgated by the People's general encryption products, technologies
Republic of China ("China" or "PRC") National and services ("General Encryption"); and
People's Congress ("NPC") Standing Committee
commercial encryption products,
on 26 October 2019, and will take effect on 1
technologies and services ("Commercial
January 2020. The State Commercial
Encryption").
Cryptography Administration (“OSCCA”) had
issued two prior drafts for public comment the Please see our earlier briefing on the 2017 Draft
first draft on 13 April 2017 (the "2017 Draft"), here (the "Earlier Note").
followed by the second draft on 5 July 2019 (the Also in common with the approach in the 2017
"2019 Draft"). Draft and the 2019 Draft, Core Encryption and
The final text of the Encryption Law seems to General Encryption Products are still being used
have gone some way to taking on board some of as an umbrella term for products designed to
the bigger concerns expressed by the business protect state secrets (and are deemed to be state
community in relation to the 2017 Draft: (i) secrets themselves in the Encryption Law), but
whether mass-consumer products whose main for the most part are not particularly relevant to
function is not encryption (for example, anti- multinational companies. As such, this briefing
virus software) may be imported and used in will focus on the regulation of Commercial
China without restriction; and (ii) the potential Encryption products.
for abuse of the wide and intrusive powers
(including power to require decryption of traffic
or supply of decryption keys) given to the Highlights of the Encryption Law
Chinese regulators in relation to the Import permit and export control
administration of encryption products and
services. However, some of the other concerns As was the case under the 2017 Draft, the
remain, for instance, uncertainty over whether import and export of Commercial Encryption
imported encryption products are still off limits products will remain subject to government
to domestic entities and individuals, and approval. Article 28 of the Encryption Law
whether imported encryption products are still provides that:
subject to internal use restrictions when
imported by foreign invested enterprises Import permit: applies to Commercial
("FIEs"), meaning overseas encryption Encryption products that may affect
technology providers remain shut out of the national security, the public interest and
Chinese domestic cryptography products that have encryption-based protective
market; and whether critical information functions; this suggests that no import
infrastructure (“CII”) operators, once permit will be required for imported
designated as such, can continue using existing Commercial Encryption products that do
imported encryption products and services. not fall under one of these categories and
Overall, the Encryption Law follows the same that China may issue a new Import
format as the 2017 Draft and the 2019 Draft by Catalogue listing out which classes or
setting out a generic set of principles and basic2 Hogan Lovells
specific imported products require an approval when imported into China. The Import
import permit; Catalogue is non-exhaustive. As a matter of
Export controls: apply to Commercial current practice2, even if a product is not
Encryption products that may affect included in the Import Catalogue, as long as the
national security, the public interest or are product is caught under the general "core
used to fulfil China’s international function" test (meaning that such product has
obligations. encryption as its main function), the
importation of hardware products meeting the
Again, the Ministry of Commerce (the test must be approved by OSCCA prior to
"MOFCOM") together with the OSCCA and the importation (which essentially makes having a
GAC will issue catalogues of Commercial list of specified products redundant).
Encryption products that are subject to the
above import permit and export controls, The above-mentioned "core function" test
respectively. seems to have become the prevailing view after
the OSCCA began to realize that the current
As set out in our Earlier Note, MOFCOM has, import restrictions were, if strictly followed,
for the first time, been brought into the basically unworkable. However, there has not
encryption field and appears to play a leading been any corresponding repeal of, or
position in the administration of the import and amendments to, current laws and regulations,
export of Commercial Encryption products. It is so we consider the "core function" test to only
unclear to us as to what extent MOFCOM will be an unofficial administrative policy within
continue to play this role going forward, OSCCA as opposed to black letter law.
although it is a natural extension of its duties as
the cross-border commerce regulator. Nowadays, virtually all electronic
communication products and software products
As was the case under the 2017 Draft and the (mobile telephones, laptops, email systems) use
2019 Draft, the Encryption Law still does not encryption technology to a greater or lesser
address the point of whether imported extent in order to protect their source code, or
Commercial Encryption products will still be for other security and privacy-related reasons.
limited to internal use, i.e., for internal
communications with the parent company or (which can be connected to automatic data
processing equipment or networks);
other offshore affiliates (see further analysis (ii) other multi-functional integrated encrypted fax
below). machines (with one or more of printing and
copying functions);
“Core function” test “fortified”? (iii) other encrypted fax machines (which can be
connected to automatic data processing
equipment or networks);
The current Catalogue for the Administration (iv) cordless encrypted telephones;
of the Importation of Encryption Products and (v) other encrypted telephones;
(vi) optical communication encrypted routers;
Equipment Incorporating Encryption (vii) non-optical communication encrypted Ethernet
Technologies (the "Import Catalogue") was switches;
issued by the OSCCA and the General (viii) non-optical communication encrypted routers;
and
Administration of Customs (the "GAC") on 31 (ix) encryption machines and encryption cards (not
December 2013. It provides for 9 categories of including digital TV smart cards, Bluetooth
modules, or dongles used for the protection of
encryption products1 that are subject to OSCCA intellectual property rights).
2 Based on the responses consistently received to
our no-names telephone inquiries with the
1 (i) electrostatic photosensitive multi- central-level OSCCA, and its Shanghai, Beijing,
functional integrated encrypted fax machines Guangdong, and Jiangsu counterparts.The grand “finale” of China’s Encryption Law November 2019 3
The business community therefore needs urgent Where required under applicable PRC laws
clarification on this point, given how widely to use Commercial Encryption products to
encryption technologies are used for securing protect critical information infrastructure
electronic products in daily use. ("CII"), CII operators must carry out a
security assessment on the use of such
The Encryption Law takes one further step Commercial Encryption products either
towards trying to address these concerns. For through self-assessment or through
the first time, Article 28 of the Encryption Law Commercial Encryption testing institutions.
clarifies and confirms, in legislation with the Such security assessment shall be in sync
status of a law, that Commercial Encryption that with those security assessments required for
is used on mass-market consumer products is CII and for classification-based protection of
exempted from the import permit and export cyber security systems under the Cyber
control requirements. With only one general Security Law, so as to avoid repetitive
sentence to rely on, it only provides very high- testing and certification;
level conceptual guidance, and leaves practical
Where CII operators wish to purchase
questions, such as the definition or scope of
Commercial Encryption products which may
“mass-market consumer products” and whether
potentially have an impact on national
this is, in fact, a “core function” test by any
security, such purchases shall be subject to a
other name unanswered.
national security review by the Cyberspace
Link to the cyber security regime Administration of China ("CAC"), the
OSCCA and other relevant authorities as
The Encryption Law has two articles (Article 26 provided under the Cyber Security Law. The
and Article 27) which apparently were drafted reference to products impacting on national
with the existing cyber security regime under security is a reference to the current
the PRC Cyber Security Law, effective 1 June Network Products and Services Security
2017 ("Cyber Security Law") in mind: Review Measures effective 1 June 2017,
which are expected to be replaced when the
Commercial Encryption products that draft Cybersecurity Review Measures
involve national security, the national (please see our earlier briefing here) are
economy and people’s livelihoods or the finally issued. The latter set out general
public interest shall be listed in the key guidance on the review process.
network equipment and specialized cyber
security products catalogue, and must pass The requirements in relation to key network
testing and certification (which the equipment and specialized cyber security
Encryption Law helpfully confirms is, in products passing security certification or
fact, the same testing and certification security testing originate from Article 23 of the
required under the Cyber Security Law, so Cyber Security Law. On the same day as the
as to avoid repetitive testing and Cyber Security Law took effect, the CAC, the
certification); Ministry of Industry and Information
Those engaging in the provision of Technology ("MIIT"), the Ministry of Public
Commercial Encryption services using any Security ("MPS"), and the Certification and
key network equipment and specialized Accreditation Administration jointly issued a
cyber security products must pass circular reiterating such certification/testing
certification conducted by Commercial requirements, together with a Key Network
Encryption certification institutions; Equipment and Specialized Cyber Security4 Hogan Lovells
Products (Batch No. 1) Catalogue (“Batch No. use Commercial Encryption. Presumably CIIs
1 Catalogue”). Commercial Encryption will still use General Encryption or Core
products were not included in the Batch No. 1 Encryption products for networks involving
Catalogue, but when the Encryption Law state secrets.
becomes effective, Commercial Encryption
products involving national security, the Removal of compulsory duty to provide
national economy and people’s livelihoods or decryption support to the Chinese
the public interest shall be deemed to be Key government
Network Equipment and Specialized Cyber
Following the approach in the 2019 Draft, the
Security Products by operation of law. Encryption Law has removed the compulsory
It is still not clear under the Encryption Law as duty on telecommunications operators and
to when or under what circumstances Internet services providers to cooperate with the
Commercial Encryption must be used by CIIs. Chinese authorities in relation to investigations
Given the sensitivity of the networks designated by providing decryption technical support,
as CIIs3, it appears that all CIIs may be required which, as set out in our Earlier Note, was the
to be equipped with Commercial Encryption most worrying aspect of the 2017 Draft. The
products. Under the draft Cybersecurity Encryption Law further eliminates OSCCA’s
Classified Protection Regulations issued by the sweeping and intrusive investigatory powers by
MPS in June 2018 for public comment ("Draft deleting the entire supervision and
Classified Protection Regulations") (see administration chapter of the 2017 Draft.
our earlier briefing here), encryption-based Against the backdrop of trade tensions with the
protection must be established for networks United States, the Encryption Law could be seen
deemed to constitute Level 3 or above. The as an attempt to seek a balance between the
Draft Classified Protection Regulations create a need to safeguard national security and the
multi-level protection scheme for networks protection of the interests of business
based on the potential degree of harm to participants in China. Please note that
national security, public order, the public notwithstanding this welcome revision, as
interest and the lawful rights and interests of network operators are still generally required to
the PRC if the system were breached or cooperate with supervisory and investigatory
disrupted. Based on this, any destruction of a bodies under Article 49 of the Cyber Security
network from Level 3 upwards may jeopardize Law, the extent of cooperation which will be
national security. So based on the definition of called upon by the Chinese government in
CII, the networks designated as CIIs are most practice still remains to be seen. The Chinese
likely to be deemed to constitute Level 3 or government still has tremendous leverage over
above networks, triggering the requirement to telecommunications and internet service
providers given the fact that they rely on
licences issued by MIIT for their continued
3 CII is stated in the Cyber Security Law to be
critical infrastructure relating to critical existence.
industries, being public communications and
information services, energy, transportation, The Encryption Law purports to establish an
water conservancy, finance, public services, e-
government affairs and other significant administration regime combining daily
industries and sectors, as well as any other supervision with random inspections, with the
infrastructure that may jeopardise national results of such supervision and random
security, the national economy, people’s
livelihoods or the public interest were it to be inspections linked to the social credit system
destroyed, experience a loss of functionality or (see our earlier briefing here).
data leakage.The grand “finale” of China’s Encryption Law November 2019 5
Promoting the standards of Commercial from the OSCCA on a case-by-case basis before
Encryption they may import and use such imported
Commercial Encryption products. For FIEs,
Given that Commercial Encryption products are there are two additional requirements: there
highly technical in nature, the Encryption Law must be a genuine business need to use such
emphasizes the importance of establishing products, and such products can only be used
national and industry standards as well as for the purpose of internal communications
promoting the internationalization of the with foreign parties, e.g. offshore affiliates of the
standards in the Commercial Encryption field. importer (“Internal Use Restriction”).
Based on the information on the official website Article 21 of the Encryption Law provides that
of OSCCA, there are already approximately 90 all Commercial Encryption operators including
standards focusing on encryption products and domestic companies and FIEs carrying out R&D
technologies. The latest standard was issued in activities, manufacture, sales, services, import
2016. With the issuance of the Encryption Law, and export shall be treated equally in
we anticipate that there will be more standards accordance with the law. Furthermore, Article
issued in this area. The question is whether the 21 goes on to say that the Commercial
very close connection between encryption and Encryption technology cooperation during
China’s national security needs mean that it foreign investment shall be encouraged. In a
remains to be seen whether other countries will silent nod to similar provisions on forced
be willing to incorporate domestic standards intellectual property transfers in return for
into international standards, and make market access in the Foreign Investment Law
international standards interoperable with which takes effect on the same date as the
them. Encryption Law (see our two separate notes:
The foreign investment law: A new chapter
opens for foreign direct investment in China
What questions remains unanswered? and The Foreign Investment Law gets wings:
draft implementation regulations released for
Will restrictions on the sale of imported public consultation), no forced Commercial
Commercial Encryption be lifted? Encryption-related technological transfer may
be imposed by administrative organs and their
Prior to the promulgation of the Encryption
officers.
Law, only domestic Commercial Encryption
products were allowed to be sold and used in Due to the general nature of the provision, it is
China, and then subject to such domestic still unclear to us whether (i) the "equal
Commercial Encryption products having treatment" principle will mean both domestic
obtained a type certificate issued by the OSCCA. capital and foreign entities and individuals will
The law as it currently stands in relation to be permitted to import foreign-made
imported Commercial Encryption products Commercial Encryption products or services;
provides that only FIEs, foreign organizations and (ii) whether the Internal Use Restriction
(such as representative offices of overseas will be lifted, meaning imported Commercial
companies) and foreign nationals may use Encryption products and services may be sold to
imported Commercial Encryption products. third parties. We made telephone enquiries with
While the previous requirement to get approval the OSCCA but the officials we spoke to were
for the use of Commercial Encryption products unwilling to provide any interpretation of
has gone they must still obtain an import permit Article 21.6 Hogan Lovells
Effect of designation of CII on existing best hope for opening up of the Commercial
Import Permit Encryption area which has remained closed to
foreign investment to date.
The Encryption Law is still silent on whether
any FIE in China that is currently using a As mentioned in the official news report
foreign manufactured Commercial Encryption regarding the promulgation of the Encryption
products (with an import permit issued by the Law on the next day of its promulgation,
OSCCA) will be allowed to continue to use it implementing rules are expected to be issued in
after it has been designated a CII operator or the coming months to supplement the general
whether a new import permit will be required. concepts under the Encryption Law and to bring
rules issued earlier in line with the Encryption
Law. Commercial Encryption businesses need to
Conclusion keep a close eye on legislative developments on
this front, as the Encryption Law remains very
The Encryption Law clearly represents a step in much a high-level framework document, and
the right direction in terms of putting in place a details of how the Encryption Law will work, as
comprehensive law in the encryption field. It well as clarification on the questions it fails to
appears to show that China is listening to some answer, is only likely to be found in the
of the concerns expressed in comments on the forthcoming implementing rules, which may
prior drafts in that it no longer requires explain why OSCCA is unwilling to provide
telecommunication operators and Internet interpretations of certain key provisions at this
content providers to provide the Chinese point in time.
government with decryption support. However,
the Encryption Law still has a strongly political
flavour, as it continues to emphasize that the
leadership of the Chinese Communist Party over
encryption work must be upheld.
Undoubtedly, this version of the Encryption
Law has, to some extent, been influenced by
trade tensions and ongoing trade discussions.
However this sensitive area, which China links
so closely to state security and secrecy, is not
one where we think China will be willing to
compromise on or liberalise readily. Even if the
parameters of the exemption for mass market
consumer products in Article 28 are far from
clear, this is a step forward in terms of defining
which products are regulated, thereby
potentially saving costs being incurred by FIEs
in China in trying to understand which products
do or do not require an import permit. The full
meaning of the provision on equal treatment in
Article 21 of the Encryption Law may only be
revealed in subsequent implementing
legislation and practice, but it can be seen as theThe grand “finale” of China’s Encryption Law November 2019 7 Contacts Hong Kong Andrew McGinty Partner, Hong Kong andrew.mcginty@hoganlovells.com Beijing Roy Zou Partner, Beijing roy.zou@hoganlovells.com Sherry Gong Partner, Beijing sherry.gong@hoganlovells.com Shanghai Maggie Shen Senior Associate, Shanghai maggie.shen@hoganlovells.com Jia Zhan Associate, Shanghai jia.zhan@hoganlovells.com
Alicante
Amsterdam
Baltimore
Beijing
Birmingham
Boston
Brussels
Budapest*
Colorado Springs
Denver
Dubai
Dusseldorf
Frankfurt
Hamburg
Hanoi
Ho Chi Minh City
Hong Kong
Houston
Jakarta*
Johannesburg
London
Los Angeles
Louisville
Luxembourg
Madrid
Mexico City
Miami
Milan
Minneapolis
Monterrey
Moscow
Munich
New York
Northern Virginia
Paris
Perth
Philadelphia
Riyadh*
Rome
San Francisco
São Paulo
Shanghai
Shanghai FTZ*
Silicon Valley www.hoganlovells.com
Singapore
Sydney "Hogan Lovells" or the "firm" is an international legal practice that includes Hogan Lovells
Tokyo International LLP, Hogan Lovells US LLP and their affiliated businesses.
The word "partner" is used to describe a partner or member of Hogan Lovells International
Ulaanbaatar* LLP, Hogan Lovells US LLP or any of their affiliated entities or any employee or consultant
with equivalent standing. Certain individuals, who are designated as partners, but who are
Warsaw not members of Hogan Lovells International LLP, do not hold qualifications equivalent to
Washington, D.C. members.
For more information about Hogan Lovells, the partners and their qualifications, see
Zagreb* www.hoganlovells.com.
Where case studies are included, results achieved do not guarantee similar outcomes for
other clients. Attorney advertising. Images of people may feature current or former
*Our associated offices lawyers and employees at Hogan Lovells or models not connected with the firm.
Legal Services Center: Berlin © Hogan Lovells 2019. All rights reserved.You can also read
